Personal Data Protection Policy

Announcement of Ratch Group Public Company Limited

No. 2/2022

Re: Privacy Policy

Ratch Group Public Company Limited (the “Company”) is aware of the importance of personal data protection and thus aims to have secured and clear management of personal data throughout the collection, use and disclosure, including retention thereof, for effective implementation in accordance with Personal Data Protection Act B.E. 2562 (2019) and its amendments, rules, regulations, announcements or orders relating thereto (“Data Protection Law”), to build trust and prevent negative impact to the Company’s personnel at all levels, including directors and executives of the Company. The Chief Executive Officer, therefore, revoked the Announcement of Ratch Group Public Co., Ltd. No. 3/2564 Re: Privacy Policy for Ratch Group Public Co., Ltd. dated 8 February 2021, and considered that it is appropriate to establish the Privacy Policy of the Company as described below:

1. All directors, executives and employees of the Company shall strictly comply with laws, policies, regulations, provisions, manuals or any guidelines of the Company relating to personal data protection.
2. Directors and executives in all departments shall build awareness and understanding regarding the importance of personal data protection and support privacy risk management at every level of the Company, including arranging for effective internal control measures to prevent unauthorized or unlawful collection, use or disclosure of personal data.
3. The Company has appointed a Data Protection Officer (DPO) to provide advice, consultation and inspection of operations relating to the Company's collection, use or disclosure of personal data to comply with the Data Protection Law, including to coordinate and cooperate with the Office of the Personal Data Protection Committee. In this regard, the executives of the Company shall support the Data Protection Officer (DPO) by providing adequate tools and equipment and facilitating access to personal data for carrying out their duties properly.
4. The collection of personal data shall be limited to the extent as it is necessary under the lawful purpose for the Company’s personal data processing only.
5. The Company shall obtain explicit consent from the data subject for collection, use, or disclosure of personal data and shall inform the data subject of necessary details prior to or at the time of such collection as required by the Data Protection Law.
6. The collection, use, or disclosure of personal data shall be in accordance with the purpose notified to the data subject prior to or at the time of such collection unless the law stipulates otherwise. The Company shall not collect personal data from other sources apart from the data subject directly, unless the Company has informed the data subject of the collection of personal data from other sources without delay and has obtained consent from the data subject, or has been exempted as stipulated by the Data Protection Law.
7. All departments shall prepare and maintain the Data Inventory in accordance with requirements and methods of the Data Protection Law to enable the data subjects and the Office of the Personal Data Protection Committee to inspect such Data Inventory. The Company shall ensure that the Data Inventory is accurate, complete, up-to-date and absolute at all times.
8. All departments shall establish appropriate and adequate security measures of personal data for preventing unauthorized or unlawful loss, access to, use, alteration, or disclosure of personal data in the Company's possession and shall regularly review such security measures, or when it is necessary, or when the technology has changed in order to ensure that the Company has security measures of personal data that are effective, sufficient, appropriate and in accordance with the Data Protection Law.
9. All departments shall provide a monitoring system for deletion or destruction of the personal data after the expiration of the retention period or when the personal data is irrelevant or beyond the necessity for the purpose of personal data collection, except where the retention is for the purpose as stipulated by the Data Protection Law.
10. In the event that the data processor is required to proceed with the collection, use, or disclosure of personal data pursuant to the orders given by or on behalf of the Company, the Company shall enter into an agreement with the data processor to supervise the performance of the data processor to be in accordance with the Data Protection Law and to prevent the data processor from using or disclosing such personal data unlawfully or beyond the specified scope.
11. In the case where the Company discloses personal data in its possession to other entities or third parties, e.g., government authorities, supervisory authorities, or competent officials exercising power pursuant to the law, etc., according to their request, the Company shall ensure that the Company has obtained a consent for such disclosure from the data subject, unless it is the case where a consent for personal data disclosure is not required according to the Data Protection Law, for example, it is necessary for compliance with the law, or it is to prevent or suppress a danger to life, body or health of the person where the data subject is incapable of giving consent by whatever reason, or it is necessary for the establishment of legal claims, etc., as the case may be. In this regard, the Company shall maintain a record of such disclosure.
12. In the case where it is necessary for the Company to send or transfer personal data to foreign countries, the Company shall ensure that the destination country that receives such personal data shall have adequate data protection standard.
13. All relevant departments shall take any actions to support the data subject’s rights request according to the Data Protection Law, including providing a monitoring system of such proceedings to ensure that the data subject’s right requests are responded properly without delay and within the period required by the Data Protection Law. In the case where the Company rejects the data subject’s requests, the Company shall record such rejection of the data subject’s rights request together with reasons.
14. All departments shall cooperate with the Data Protection Officer in notifying the Office of the Personal Data Protection Committee of any personal data breach without delay within 7 2 hours after having become aware of the breach unless such personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject. In addition, if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the Company shall also notify the data subject of the personal data breach together with remedial measures without delay.
15. All departments shall cooperate with the Data Protection Officer and the Office of the Personal Data Protection Committee when the Company is requested to submit documents or information regarding the personal data protection, including clarifying the facts to support the investigation and operations of the Data Protection Officer and the Office of the Personal Data Protection Committee.

This Privacy Policy applies to personnel of the Company at all levels, including directors and executives of the Company. Therefore, all personnel shall understand and comply with this Policy. In particular, the executives at all levels shall be the role model and support and push for serious practices throughout the organization. In this regard, the Privacy Notice, consent forms and other contracts are as attached hereto.

Please be informed and comply accordingly.

Announced on 8 April 2022

Chief Executive Officer